Shambliss Guardian Blog

  • Join us for the Cyber Summit, presented by Shambliss Guardian, DSP Insurance, and Chubb for current and future trends in cyber liability, AI risk and governance, and cybersecurity strategy.

    The Evolution of Cyber Liability Insurance: A Look Back 

    As digital transformation continues to shape the business landscape, cyber liability insurance has become essential for organizations of all sizes, particularly in the middle market. At DSP Insurance, we’ve seen firsthand how the cyber risk environment has evolved, and we’ve been at the forefront of helping our clients adapt to these changes – both through proactive risk management and the placement of robust cyber security insurance coverage. 

    The Origins of Cyber Liability Insurance 

    The story of cyber liability insurance begins in the late 1990s when the first policies were created to address the emerging risks tied to the internet and digital data. Back then, businesses relied on traditional insurance lines that were not equipped to handle the unique challenges posed by cyber threats. As the internet became central to business operations, the need for a specialized approach to cyber risk management became a necessity. 

    Early policies were narrow in focus, covering areas like data breaches and network security issues, and were largely targeted at tech firms and large enterprises. As these risks became more prevalent, insurers expanded coverage and offered broader policies across different industries, helping middle-market businesses access much-needed protection. 

    A Two-Pronged Approach to Cyber Risk 

    At DSP Insurance, we generally advocate for a two-pronged approach to cyber risk management. First, proactive threat evaluation and deterrence are essential to minimizing a company’s exposure to cyber threats on the front end. This involves assessing vulnerabilities, implementing cybersecurity best practices, education and training for teams, and continuously monitoring for potential breaches. Preventive measures not only reduce the likelihood of an attack but also help lower insurance premiums by demonstrating a commitment to risk management and presenting your business as a “best in class” risk. 

    Second, having robust cyber liability policies and effective risk transfer mechanisms ensures that, in the event of a breach or cyber incident, businesses have the financial protection they need. A well-structured cyber insurance policy covers the costs of data recovery, business interruption, legal liabilities, and more, allowing businesses to recover swiftly and limit long-term impact. This “offense” and “defense” approach helps insureds stay ahead of threats while safeguarding their operations. 

    Risk Transfer and the Expansion of Coverage 

    In the early 2000s, as cyberattack volume increased, insurers began offering policies that covered a wider range of cyber risks. This marked a turning point for businesses, including those in manufacturing, retail, and healthcare, who could now transfer their cyber risks as they did with other exposures like property and casualty exposures. Policies evolved to cover not only data breaches but also business interruption, ransomware, and regulatory fines, among others. 

    At DSP Insurance, we continue to educate our teams and partner with best-in-class carriers to help our customers navigate these changes by providing tailored coverage options that address the specific cyber vulnerabilities they face. Our two-pronged approach of proactive risk reduction and robust risk transfer via cyber liability insurance ensures our clients are fully equipped to manage the ever-evolving landscape of cyber threats. 

    Where We Are Today 

    The last two decades have been marked by constant evolution in cyber insurance. As technology continues to drive business growth, middle-market companies have become attractive targets for cybercriminals. In response, cyber policies have grown in scope and sophistication. Insurers now offer tools such as cybersecurity assessments, breach response services, and risk mitigation advice to help clients stay ahead of cyber risks. 

    As we look toward the future, the role of artificial intelligence and other advanced technologies will continue to influence the landscape of cyber risk and insurance. 

    For more information, feel free to contact Taylor Virgil at tvirgil@dspins.com or visit our website

    Don’t Miss the DSP Cyber Summit on October 10th! 

    Join us on Thursday, October 10th for the DSP Cyber Summit, where industry leaders will dive deep into the practical application of Trust and Verify in cybersecurity. Don’t miss out on learning how to strengthen your organization’s security posture! Click here to secure your spot today. 

  • Trust and Verify

    Business owners (CEO), finance/risk managers (CFO), and operations teams should follow the tenets Trust and Verify for cybersecurity. Trust and verify has been a standard for accounting and auditing firms for decades. Trust and verify is also a standard for governance risk and compliance teams.

    I strongly suspect, though, that businesses are not consistently following trust and verify principles for their cybersecurity. CEOs and CFOs trust, sometimes without a basis in facts, the network and security teams’ statement “We are secure.”

    This leads to three alternative business situations:
    1. The security leader (CISO) has the experience and the metrics to prove that the organization is secure. In this case, the company measures the success of its security controls and documents and tests its policies and procedures. The company embraces an external verification to confirm internal team expertise and its security posture.

    2. The security leader (CISO) states the organization is secure without metrics. The company acknowledges that it could improve its security posture. It documents its processes for many best practices, but not aways. The security leader welcomes an external verification to support requests for funding, products, and staffing. The organization embraces consulting expertise to help build a better security posture.

    3. The security leader (CISO) states that the organization is secure but can’t produce any documentation, processes, or testing results. The security leader advocates against documentation or process or testing and perhaps even delays or stonewalls an external review. All trust and no verification should be a warning sign to management that their organization is not properly protected.

    Owners should be hesitant to trust when there is no verification. The effective security leaders we have consulted with have been proud of their work and happy to demonstrate the defense capabilities they have established.

    It’s quick and cost-effective to have an external vendor perform a high-level security posture review that includes assessment of your security repository holding documentation and processes.

    Oops! You don’t have a repository? You don’t have access to an encrypted location with security and network key applications and passwords? Consider: Are you being held hostage by one person in the organization with “Keys to the Kingdom?”

    Private message me to discuss strategies to align leadership statements on security posture with verification in 15-30 minutes.

  • The Cybersecurity Budget Paradox: Are We Asking the Wrong Questions?

    Cybersecurity budgets are tight and a recent Economic Times CISO article suggests cybersecurity funding, or lack thereof, is a critical issue. The article’s focus is Indian-based organizations and admittedly, the stats are alarming:

    • India experienced a 46% year-over-year increase in cyber attacks
    • 3,201 attacks per week on average targeting Indian organizations
    • The average Indian company allocated less than 10% of its IT budgets to cybersecurity

    But here’s the controversy: Are we focusing too much on budget size and not enough on budget efficiency?

    Consider this: Some organizations with massive cybersecurity budgets still fall victim to attacks, while others with modest budgets maintain robust security. Why?

    The answer might lie in how we approach cybersecurity, not just how much we spend on it. Perhaps the solution to our budget woes isn’t always more money, but more creativity in how we use what we have.

    Here are some possible strategies:

    1. Optimize what you have: Ensure all your tools are pulling their weight
    2. Prioritize based on risk: Not everything needs top-tier protection
    3. Leverage AI and automation: Let machines handle the grunt work
    4. Educate your team: A well-trained workforce is your human firewall
    5. Speak the Board’s language: Translate tech-speak into business impact

    What if the key to better cybersecurity isn’t in your wallet, but in your approach? Instead of “How much should we spend?” we ask “How can we spend smarter?”.

    Some have credited Albert Einstein with the quote, “If I had only one hour to save the world, I would spend 55 minutes defining the problem, and only five minutes finding the solution”. While he might not have actually said this, it’s a powerful statement nonetheless.

    It’s time to rethink our cybersecurity strategies. Let’s start by asking different questions. The answers might surprise us.

  • The Imperative of Cybersecurity for Building Automation Systems

    In the era of smart buildings, where everything from temperature control to physical security is managed by interconnected systems, security for building automation systems (BAS) is a must for all owners and managers.

    Vulnerabilities in Building Automation Systems:
    1.  Legacy Systems have outdated BAS technologies
    2.  Interconnectedness risks compromise of every system
    3.  Remote Access often uses insecure methods
    4.  Third-Party Integration increases the attack surface
    5.  Lack of Security Awareness can lead to overlooking BAS security risks

    The consequences of inadequate cybersecurity measures for BAS include:
    1.  Data Breaches of client information
    2.  Disruption of Operations can result in uninhabitable buildings
    3.  Physical Security Threats means possible unauthorized access, theft or physical harm to tenants
    4.  Energy Tampering results in financial losses
    5.  Reputation Damage tarnishes both reputation and financial results

    Best Practices for Securing Building Automation Systems:
    1.  Incident Response: Retainer, plan, and test
    2.  Network Segmentation: Isolate BAS
    3.  Visibility and Continuous Monitoring: Document and monitor
    4.  Access Control: Establish multi-factor authentication
    5.  Vulnerability Management: Manage internal and external vendors

    Building automation systems continue to evolve and become more interconnected. By implementing robust security measures and staying vigilant, building owners and managers can ensure the safety, efficiency, and resilience of their smart spaces.

    https://www.shambliss-guardian.com

  • AI is changing the way buildings are managed

    AI is changing the way buildings are managed for all the reasons in this good article. It is also changing the way they are being attacked by cyber criminals. Building Automation Systems can be overlooked as an attack vector and need to be protected like any other assess to avoid:


    Material damage costs
    o Property destruction
    o Loss of life and bodily injury

    Non-material damage costs
    o Business interruption
    o Contingent business interruption
    o Loss of shareholder value
    o Loss of data
    o Uninhabitable Buildings
    o Bricking of critical machines and infrastructure

    Attackers are using AI against us. We need to use AI to fight back. Humans are not fast enough for AI driven attacks.

    https://www.facilitiesdive.com/news/ais-impact-on-facility-operations-and-data-center-demand/716705

  • Why do cybercriminals focus their attacks on factories?

    Easy targets are keys to an attacker’s success. Unprotected factory devices are becoming exposed to the internet. Vulnerabilities in ICS/OT equipment abound due to the legacy nature of many systems that were designed and implemented before security became a top priority.
    The exposure could be intentional as in Factory 4.0, digital transformation projects, and the desire to use AI to enhance safety and production or a mistaken configuration. Either way, reliance on ‘air-gapped’ environments or a single firewall to protect your production is no longer sufficient. And don’t forget to include IoT/building automation systems in your segmentation and protection strategy.

    Solutions should include user identity, application, network segmentation, network access controls, and 7X24 monitoring and management.

    We believe firms should start now on your own timeline before governmental, industry, and supply chain requirement become hard to meet deadlines.

    Regulations:
    SP 800-82 Rev. 3, Guide to Operational Technology (OT) Security | CSRC (nist.gov)
    EU Cyber Resilience Act | Shaping Europe’s digital future (europa.eu)
    Recent Articles:
    Microsoft Warns of Surge in Cyber Attacks Targeting Internet-Exposed OT Devices (thehackernews.com)
    Rockwell Advises Disconnecting Internet-Facing ICS Devices Amid Cyber Threats (thehackernews.com)
    Breaches:
    Thyssenkrupp Auto Unit Hit by Cyberattack – WSJ
    VARTA makes good progress in solving the cyberattack (varta-ag.com)

    http://nist.gov/